Dan Raywood summarised it nicely in his article about it last month: Personal Credit Information (PCI) requirements have a long way to go before they become fool-proof, but in the meantime the current prescriptive regulations provide a great jumping-off point for businesses looking to protect customers' data and make transactions secure. Unfortunately however, once the PCI requirements are defined, it is almost guaranteed that new and improved compliance mandates will arise. Why wait until those new mandates are introduced to implement a solution that provides complete network security visibility? Companies should focus on taking security initiatives one step further than just meeting here-and-now compliance requirements, and provide customers with the highest security regarding their personal information. With this goal in mind, companies should be taking a closer look at integrated security information and event management (SIEM) solutions, which provide customers with an in-depth view of their networks in order to meet both current – and future – compliance mandates while implementing a comprehensive security management solution.
Over the past few years, the PCI Council has set forth numerous rules and guidelines to ensure companies are taking the appropriate steps to lock down customer data and transactions. With that being said, companies are left with two options when it comes to regulatory compliance: comply and prove it, or don't comply and suffer the consequences; these two options are primary drivers of log management and SIEM adoption.
In Europe, security operations targeting threat, fraud and measures to detect cyber attacks have been the primary drivers for security budgets. We are now seeing compliance to regulatory demands growing in rank as a driver, as new regulatory compliance mandates are also becoming a best practice, especially among government entities and financial institutions.
For example, in an effort to provide government agencies with a secure electronic communications channel, parts of the UK have spent the past few years building its GCSX Code of Connection (CoCo) requirements, which will allow only government agencies to exchange information via a government approved secure IT channel. With the deadline to comply having just passed on 30th September, government agencies that did not meet the deadline are facing numerous hurdles. Come 1st November:
- It will not be possible for local authorities to access CIS (Customer Information System) via the internet. CIS access will be available exclusively via Government Connect Secure Extranet (GCSX) or other Government Secure Intranet (GSi) family connections.
- Exchanges of sensitive Department for Work and Pensions (DWP) data provided to councils pursuant to DWP's Pension, Disability and Careers Service (PDCS) Joint Working Partnership Agreements must be via secure email over GCSX or other GSi family connections (eg. using .gcsx, .gsi, or .gse email addresses, but not .gov.uk addresses).
- Other current and future projects that exchange DWP data with local authorities, such as the In and Out of Work programme - which is automating information exchanges between local authorities, HMRC and DWP – will comply with the Data Access Policy*.
Just this month, Financial Fraud Action UK, an entity that fights to stop financial fraud and its effects, released its latest fraud figures, which totalled £232.8 million for the first half or 2009. As a result, the group published a best practice guidance document for implementing the EU Payment Services Directive. According to Financial Fraud Action UK, the directive has been introduced to “enhance competition, transparency and ensure a consistent level of consumer protection for payment services across the EU. For UK customers, it will impact both domestic and cross-border payments, particularly those made into and out of current accounts. The PSRs come fully into force on 1st November 2009 and will be enforced by the Financial Services Authority.” (Source: UK Payments Administration)
In working closely with our customers we know that both enterprise and SMB respondents rate data protection as their top security issue. Rather than reacting to the latest threats or vulnerabilities, companies are taking a more proactive approach to security management by examining what it takes to protect the company's data. In North America, managing regulatory compliance for PCI, HIPAA and Sarbanes-Oxley (SOX) has been the top tactical security issue, with risk management, threat and fraud detection as the long-term goals. Further, each vertical has a unique set of policies to comply with: HIPAA (medical), Sarbanes-Oxley (financial), NERC and FERC (utilities) and PCI (retail and any entity utilising a card swipe: financial institutions, universities, hospitals, veterinarians, coffee shops, etc.).
In addition to the avoidance of hefty non-compliance fees, companies are seeing additional business benefits from adhering to compliance mandates, such as operating a more secure network and improved customer satisfaction and safety, not to mention the millions of dollars they are saving by preventing data breaches and network attacks. In fact, a recent study of regulatory demands on enterprises in the Italian markets, commissioned by Juniper Networks, shows us that “91 per cent of Italian IT managers interviewed say they are aware of the new regulations and know that they need to comply with stringent access log recording requirements”. (Source: Juniper).
As a result of widespread support of compliance, government entities will eventually need to comply with PCI mandates, in addition to the Code of Connection requirements. Retailers, for example, will also need to comply with Sarbanes-Oxley mandates, in addition to PCI compliance. Due to more stringent compliance regulations being enforced, companies are shifting from strictly focusing on compliance, to a balance of regulatory compliance with a business-driven security operations perspective. In other words, compliance creates the budget that permits an operational application of security management disciplines. As long as companies and organisations need to comply, they should take the opportunity to operationalise an enterprise-wide security monitoring capability by implementing an integrated, next-generation log management and SIEM solution that provides total security intelligence.